Wireguard clients can connect only after peer restart

astanciu · August 4, 2024, 7:22pm

Hello!
I have few clients for my VPN Wireguard Server running on Mikrotik Router. Each client succeed to connect to VPN server only immediately after peer configuration is enabled on Mikrotik or configuration is new created, not later. Once a client get connected no other client can connect to VPN server. No matter firewall configuration, the behavior is the same and I tested with all drop rules disabled. I’m trying for weeks to solve this issue but no luck until now…
Please give me an idea what can I do.

Thanks
config.rsc (12.4 KB)

holvoetn · August 5, 2024, 3:53am

Is that your “server” config ?

I suspect your problem is here:

add allowed-address=0.0.0.0/0

If you use that on all peers, your “server” will not know what needs to go where.
If one peer is active, there is no confusion. If a second one comes in using the same settings, it’s chaos all over and done.

Only use the peer endpoint address there (with /32) and any other subnets allowed to enter for that specific peer.
You need to make sure there are no overlaps in allowed addresses. Or, again, wireguard does not know what to send where.

astanciu · August 5, 2024, 5:41am

Hello!
Yes, is my server config and now I started to understand where is the issue. It is related to that allowed-address=0.0.0.0/0. Briefly, if my WG server interface is 10.8.0.1 and clients are 10.8.0.2 and 10.8.0.3 and so on, how should allowed-address to be? I tested with different WG server for each WG client and the same allowed-address=0.0.0.0/0 and seems to work.

Thank you!

holvoetn · August 5, 2024, 6:01am

From your two examples:
10.8.0.2/32 and 10.8.0.3/32 respectively.

It’s quite well explained in the Wireguard documentation.
https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-RoadWarriorWireGuardtunnel

astanciu · August 5, 2024, 3:37pm

Hello!

I read steps you recommended and changed for wg server to 10.8.0.1/24 and for clients to 10.8.0.2/32 and 10.8.0.3/32 but unfortunately same situation like at the beginning…two or more client can’t work the same time.

Thanks!

holvoetn · August 5, 2024, 4:25pm

Can you please post again latest config as well as the one of 2 peers ?

Mask the keys. Just make sure it’s clear where they are supposed to be the same.

astanciu · August 5, 2024, 6:08pm

Hello!

I attached config file. All sensitive data are edited. The server I’m talking about is WG_1, interface wireguard1, IP 10.8.0.1 and peers 10.8.0.2 and 10.8.0.3. All settings are attached.

Thanks allot!

config.rsc (11.5 KB)